event

Autogenerated API

argus_api.lib.events.v2.event.get_event(timestamp: int, customerID: int, eventID: str, includeProperties: str = None, includeAllProperties: bool = None, includeComments: bool = None, includeSubEvents: bool = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Fetches corresponding event (DEV)

Parameters

• timestamp (int) – Event timestamp

• customerID (int) – Customer ID

• eventID (str) – Event ID

• includeProperties (list) – Which properties to include in the response (if includeAllProperties=false)

• includeAllProperties (bool) – Whether to include all properties

• includeComments (bool) – Whether to include comments

• includeSubEvents (bool) – Whether to include sub-event IDs

• json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

• verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

• apiKey – Argus API key.

• authentication – authentication override

• server_url – API base URL override

• body – body of the request. other parameters will override keys defined in the body.

• api_session – session to use for this request. If not set, the global session will be used.

Raises

• AuthenticationFailedException – on 401

• AccessDeniedException – on 403

• ObjectNotFoundException – on 404

• ValidationFailedException – on 412

• ArgusException – on other status codes

Returns

dictionary translated from JSON

argus_api.lib.events.v2.event.get_event_compatibility(type: str, timestamp: int, customerID: int, eventID: str, includeProperties: str = None, includeAllProperties: bool = None, includeComments: bool = None, includeSubEvents: bool = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Fetches corresponding event (by compatibility path) (DEV)

Parameters

• type (str) – Event type (ignored, provided for path compatibility)

• timestamp (int) – Event timestamp

• customerID (int) – Customer ID

• eventID (str) – Event ID

• includeProperties (list) – Which properties to include in the response (if includeAllProperties=false)

• includeAllProperties (bool) – Whether to include all properties

• includeComments (bool) – Whether to include comments

• includeSubEvents (bool) – Whether to include sub-event IDs

• json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

• verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

• apiKey – Argus API key.

• authentication – authentication override

• server_url – API base URL override

• body – body of the request. other parameters will override keys defined in the body.

• api_session – session to use for this request. If not set, the global session will be used.

Raises

• AuthenticationFailedException – on 401

• AccessDeniedException – on 403

• ObjectNotFoundException – on 404

• ValidationFailedException – on 412

• ArgusException – on other status codes

Returns

dictionary translated from JSON

argus_api.lib.events.v2.event.get_event_statistics(subCriteria: dict = None, type: str = None, startTimestamp: int = None, endTimestamp: int = None, timeFieldStrategy: str = None, timeMatchStrategy: str = None, severity: str = None, eventIdentifier: str = None, customer: str = None, productionCustomers: bool = None, endpoint: dict = None, attack: dict = None, domain: str = None, includeFlag: str = None, excludeFlag: str = None, property: dict = None, associatedCaseID: int = None, groupBy: dict = None, timeline: dict = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Generate the requested statistics for events matching the provided search criteria. (DEV)

param list subCriteria

param list type

Restrict search to of events of this type. If nothing is specified we will return all types

param int startTimestamp

Restrict search to data after this time (epoch millis)

param int endTimestamp

Restrict search to data before this time (epoch millis)

param list timeFieldStrategy

Which time fields to search for

param str timeMatchStrategy

Which time match strategy to use. Defaults to matching if any (default any)

param list severity

Which severities to search for

param list eventIdentifier

Which event identifiers to search for

param list customer

Which customers to search for events for. Search by id or short name

param bool productionCustomers

Restricts the search to customers that either are, or are not in production.

If null we don’t filter (default) If true we only return production customers If false, we exclude all production customers

param list endpoint

Restrict search to events with endpoints matching these criteria

These criteria follow sub request logic, which means that they are by default OR-ed together, but will be AND-ed together if you set required=true. You can also use exclude=true to match on the negation of the query

param list attack

Restrict search to events matching these attack criteria.

These criteria follow sub request logic, which means that they are by default OR-ed together, but will be AND-ed together if you set required=true. You can also use exclude=true to match on the negation of the query

param list domain

Restrict search to events with one of these domains set

param list includeFlag

Restrict search to events with ALL of these flags set

param list excludeFlag

Restrict search to events with NONE of these flags set

param list property

Restrict search to events with properties matching these criteria.

These criteria follow sub request logic, which means that they are by default OR-ed together, but will be AND-ed together if you set required=true. You can also use exclude=true to match on the negation of the query.

param list associatedCaseID

Restrict search to events associated to cases with these IDs.

NOTE: Searching for ID 0 will return events that are not associated to any cases.

param list groupBy

The list of fields to group by

The order in the list will determine the hierarchy of the aggregations and their buckets.

param list timeline

The set of time range metrics used to create histogram buckets

param json

return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

param verify

path to a certificate bundle or boolean indicating whether SSL verification should be performed.

param apiKey

Argus API key.

param authentication

authentication override

param server_url

API base URL override

param body

body of the request. other parameters will override keys defined in the body.

param api_session

session to use for this request. If not set, the global session will be used.

raises AuthenticationFailedException

on 401

raises AccessDeniedException

on 403

raises ObjectNotFoundException

on 404

raises ValidationFailedException

on 412

raises ArgusException

on other status codes

returns

dictionary translated from JSON

argus_api.lib.events.v2.event.get_payload(timestamp: int, customerID: int, eventID: str, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Fetch specified event payload (DEV)

Parameters

• timestamp (int) – Event timestamp

• customerID (int) – Customer ID

• eventID (str) – Unique UUID for the event

• json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

• verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

• apiKey – Argus API key.

• authentication – authentication override

• server_url – API base URL override

• body – body of the request. other parameters will override keys defined in the body.

• api_session – session to use for this request. If not set, the global session will be used.

Raises

• AuthenticationFailedException – on 401

• AccessDeniedException – on 403

• ObjectNotFoundException – on 404

• ValidationFailedException – on 412

• ArgusException – on other status codes

Returns

dictionary translated from JSON

argus_api.lib.events.v2.event.get_payload_compatibility(type: str, timestamp: int, customerID: int, eventID: str, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Fetch specified event payload. This variant accepts a type parameter which is not used

but should make it easier to paste in AGGR-ids from the v1 api.

(DEV)

param str type

Event type (ignored, provided for path compatibility)

param int timestamp

Event timestamp

param int customerID

Customer ID

param str eventID

Unique UUID for the event

param json

return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

param verify

path to a certificate bundle or boolean indicating whether SSL verification should be performed.

param apiKey

Argus API key.

param authentication

authentication override

param server_url

API base URL override

param body

body of the request. other parameters will override keys defined in the body.

param api_session

session to use for this request. If not set, the global session will be used.

raises AuthenticationFailedException

on 401

raises AccessDeniedException

on 403

raises ObjectNotFoundException

on 404

raises ValidationFailedException

on 412

raises ArgusException

on other status codes

returns

dictionary translated from JSON

argus_api.lib.events.v2.event.get_pcap(timestamp: int, customerID: int, eventID: str, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → requests.models.Response

Fetch specified event payload as PCAP (DEV)

Parameters

• timestamp (int) – Event timestamp

• customerID (int) – Customer ID

• eventID (str) – Unique UUID for the event

• json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

• verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

• apiKey – Argus API key.

• authentication – authentication override

• server_url – API base URL override

• body – body of the request. other parameters will override keys defined in the body.

• api_session – session to use for this request. If not set, the global session will be used.

Raises

• AuthenticationFailedException – on 401

• AccessDeniedException – on 403

• ObjectNotFoundException – on 404

• ValidationFailedException – on 412

• ArgusException – on other status codes

Returns

requests.Response object

argus_api.lib.events.v2.event.get_pcap_compatibility(type: str, timestamp: int, customerID: int, eventID: str, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → requests.models.Response

Fetch specified event payload as PCAP. This variant accepts a type parameter which is not used but should make it easier to paste in AGGR-ids from the v1 api.

(DEV)

param str type

Event type (ignored, provided for path compatibility)

param int timestamp

Event timestamp

param int customerID

Customer ID

param str eventID

Unique UUID for the event

param json

return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

param verify

path to a certificate bundle or boolean indicating whether SSL verification should be performed.

param apiKey

Argus API key.

param authentication

authentication override

param server_url

API base URL override

param body

body of the request. other parameters will override keys defined in the body.

param api_session

session to use for this request. If not set, the global session will be used.

raises AuthenticationFailedException

on 401

raises AccessDeniedException

on 403

raises ObjectNotFoundException

on 404

raises ValidationFailedException

on 412

raises ArgusException

on other status codes

returns

requests.Response object

argus_api.lib.events.v2.event.list_events(type: str = None, customer: str = None, signature: str = None, startTimestamp: int = None, endTimestamp: int = None, limit: int = 25, offset: int = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Simple search for events (DEV)

Parameters

• type (list) – Limit to events of this type

• customer (list) – Limit to customer

• signature (list) – Limit to signature

• startTimestamp (int) – Only look for events after this timestamp

• endTimestamp (int) – Only look for events before this timestamp

• limit (int) – The max number of events to return

• offset (int) – The offset of the search

• json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

• verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

• apiKey – Argus API key.

• authentication – authentication override

• server_url – API base URL override

• body – body of the request. other parameters will override keys defined in the body.

• api_session – session to use for this request. If not set, the global session will be used.

Raises

• AuthenticationFailedException – on 401

• AccessDeniedException – on 403

• ObjectNotFoundException – on 404

• ValidationFailedException – on 412

• ArgusException – on other status codes

Returns

requests.Response object or dictionary translated from JSON

argus_api.lib.events.v2.event.reindex_events(eventID: str = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Reindexes a set of events into the search engine (INTERNAL)

param list eventID

The events that should be reindexed. The set should contain event IDs on the Argus EventID format, e.g. AGGR/10000/1/8bf1732c-f845-409a-8425-8fad3b5007ab.

If one of the IDs is malformed, or does not match an event you have access to the request will fail.

param json

return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

param verify

path to a certificate bundle or boolean indicating whether SSL verification should be performed.

param apiKey

Argus API key.

param authentication

authentication override

param server_url

API base URL override

param body

body of the request. other parameters will override keys defined in the body.

param api_session

session to use for this request. If not set, the global session will be used.

raises AuthenticationFailedException

on 401

raises AccessDeniedException

on 403

raises ValidationFailedException

on 412

raises ArgusException

on other status codes

returns

dictionary translated from JSON

argus_api.lib.events.v2.event.search_events(subCriteria: dict = None, sortBy: str = None, type: str = None, startTimestamp: int = None, endTimestamp: int = None, timeFieldStrategy: str = None, timeMatchStrategy: str = None, severity: str = None, eventIdentifier: str = None, customer: str = None, productionCustomers: bool = None, endpoint: dict = None, attack: dict = None, domain: str = None, includeFlag: str = None, excludeFlag: str = None, property: dict = None, associatedCaseID: int = None, indexStartTimestamp: int = None, indexEndTimestamp: int = None, order: str = None, includeProperties: str = None, limit: int = 25, offset: int = None, includeAllProperties: bool = None, includeComments: bool = None, includeSubEvents: bool = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Searches for events (DEV)

param list subCriteria

param list sortBy

param list type

Restrict search to of events of this type. If nothing is specified we will return all types

param int startTimestamp

Restrict search to data after this time (epoch millis)

param int endTimestamp

Restrict search to data before this time (epoch millis)

param list timeFieldStrategy

Which time fields to search for

param str timeMatchStrategy

Which time match strategy to use. Defaults to matching if any (default any)

param list severity

Which severities to search for

param list eventIdentifier

Which event identifiers to search for

param list customer

Which customers to search for events for. Search by id or short name

param bool productionCustomers

Restricts the search to customers that either are, or are not in production.

If null we don’t filter (default) If true we only return production customers If false, we exclude all production customers

param list endpoint

Restrict search to events with endpoints matching these criteria

These criteria follow sub request logic, which means that they are by default OR-ed together, but will be AND-ed together if you set required=true. You can also use exclude=true to match on the negation of the query

param list attack

Restrict search to events matching these attack criteria.

These criteria follow sub request logic, which means that they are by default OR-ed together, but will be AND-ed together if you set required=true. You can also use exclude=true to match on the negation of the query

param list domain

Restrict search to events with one of these domains set

param list includeFlag

Restrict search to events with ALL of these flags set

param list excludeFlag

Restrict search to events with NONE of these flags set

param list property

Restrict search to events with properties matching these criteria.

These criteria follow sub request logic, which means that they are by default OR-ed together, but will be AND-ed together if you set required=true. You can also use exclude=true to match on the negation of the query.

param list associatedCaseID

Restrict search to events associated to cases with these IDs.

NOTE: Searching for ID 0 will return events that are not associated to any cases.

param int indexStartTimestamp

Only search in indexes after or on this day

param int indexEndTimestamp

Only search in indexes before or on this day

param list order

Which field(s) by which to sort the results

param list includeProperties

Which properties to include (if includeAllProperties=false).

param int limit

Limit the results to the specified amount. If set to 0 we will stream all results matching the query (default 25)

param int offset

Skip specified amount of results (default 0)

param bool includeAllProperties

Whether to include all properties (overrides the selection of ‘includeProperties’ if set to true). (default false)

param bool includeComments

Whether to include comments. (default false)

param bool includeSubEvents

Whether to include sub-events’ IDs (only for aggregated events). (default false)

param json

return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

param verify

path to a certificate bundle or boolean indicating whether SSL verification should be performed.

param apiKey

Argus API key.

param authentication

authentication override

param server_url

API base URL override

param body

body of the request. other parameters will override keys defined in the body.

param api_session

session to use for this request. If not set, the global session will be used.

raises AuthenticationFailedException

on 401

raises AccessDeniedException

on 403

raises ObjectNotFoundException

on 404

raises ValidationFailedException

on 412

raises ArgusException

on other status codes

returns

requests.Response object or dictionary translated from JSON

argus_api.lib.events.v2.event.submit_events(startTimestamp: int = None, endTimestamp: int = None, id: dict = None, signature: str = None, severity: str = None, count: int = None, location: str = None, protocol: str = None, source: dict = None, destination: dict = None, flags: str = None, properties: dict = None, subEvents: str = None, uri: str = None, fqdn: str = None, aggregationKey: str = None, associatedCaseID: int = None, associatedCaseIDs: int = None, payload: dict = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Submit event to central storage. (INTERNAL)

param int startTimestamp

param int endTimestamp

param dict id

param str signature

Event signature. If set, the system will automatically assign alarm and attack category based on this value.

param str severity

Event severity. When creating a new event, the default severity is low.

param int count

Number of occurrences this event represents. The value must be at least 1, which is the default.

param str location

The sensor location (id or shortname) where this event was observed. If set, this location must be resolvable for the current user, and must either belong to the same customer as this event, or be a global location.

param str protocol

The protocol id or well-known name. Numeric protocol ID must be between 0 and 255. Protocol name must be well known (icmp, tcp, udp, esp, ah)

param dict source

param dict destination

param list flags

Event flags requested by the client for this event. On updating an existing event, existing flags will be retained, and flags in the update will be added. Flags that have a PARTIAL flag have custom handling. If FINALIZED flag is set, additional updates to this event will be ignored.

param dict properties

Custom properties for this event. Each property key may have multiple values.

On updating an existing event, setting an existing property will overwrite existing value.

The max length of property keys is 50 characters. Keys longer than that will be truncated to the first 50. If there are duplicate keys, one will overwrite the other. This will also happen if there are duplicates after truncation.

The max length of property values are 1024 characters for each value. Any value longer than this will be truncated to 1024 characters.

param list subEvents

IDs (on form TYPE/timestamp/customer/UUID) for subevents to this event. Subevents may not be stored yet. System will validate that all subevents have the same customer as this event.

param str uri

URI observed in this event.

param str fqdn

FQDN (fqdn) observed in this event.

param str aggregationKey

Client specified aggregation key for this event.

param int associatedCaseID

Associated case ID. If set, the associated case must be readable for the current user, and must belong to the same customer as this event.

param list associatedCaseIDs

Add one or more case associations to an event, not required. If set, the associated case must be readable for the current user, and must belong to the same customer as this event.

param dict payload

param json

return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

param verify

path to a certificate bundle or boolean indicating whether SSL verification should be performed.

param apiKey

Argus API key.

param authentication

authentication override

param server_url

API base URL override

param body

body of the request. other parameters will override keys defined in the body.

param api_session

session to use for this request. If not set, the global session will be used.

raises AuthenticationFailedException

on 401

raises AccessDeniedException

on 403

raises ValidationFailedException

on 412

raises ArgusException

on other status codes

returns

dictionary translated from JSON

argus_api.lib.events.v2.event.submit_events_bulk(events: dict = None, onError: str = None, json: bool = True, verify: Optional[bool] = None, proxies: Optional[dict] = None, apiKey: Optional[str] = None, authentication: Optional[dict] = None, server_url: Optional[str] = None, body: Optional[dict] = None, api_session: Optional[ArgusAPISession] = None) → dict

Submit a bulk of events to central storage. (INTERNAL)

Parameters

• events (list) – Events to submit in this bulk.

• onError (str) – Define how validation errors on single events should be handled. Using mode dropInvalid, invalid events will be ignored and reported in the response. The default mode is rejectAll, which will cause a 412 error on the entire request on a valiation failure for any event.

• json – return the response’s body as a dict parsed from json. True by default. If set to false, the raw requests.Response object will be returned.

• verify – path to a certificate bundle or boolean indicating whether SSL verification should be performed.

• apiKey – Argus API key.

• authentication – authentication override

• server_url – API base URL override

• body – body of the request. other parameters will override keys defined in the body.

• api_session – session to use for this request. If not set, the global session will be used.

Raises

• AuthenticationFailedException – on 401

• AccessDeniedException – on 403

• ValidationFailedException – on 412

• ArgusException – on other status codes

Returns

dictionary translated from JSON